https://authzed.com logo
Powered by
Hey folks In `spicedb operator` how do I
s

Schadenfreude

03/17/2023, 4:50 PM
Hey folks. In 
spicedb-operator
, how do I specify the client cert that must be used to connect to my postgres datastore? I've added the cert as a TLS secret in Kubernetes, set the 
datastoreTLSSecretName
to the name of the secret in the CRD, and set 
sslmode=require
as a parameter in the 
datastore_uri
but when I apply the CRD, I get errors like 
unable to create migration driver for postgres: failed to connect to `host=a.b.c.d user=*** database=***`: server error (FATAL: connection requires a valid client certificate (SQLSTATE 28000))
from the operator's migration job and 
2023-03-17 16:41:12.855 UTC [73658]: [1-1] db=***,user=*** FATAL:  connection requires a valid client certificate
from postgres. So it seems like there is no cert being presented. Am I missing something? It works fine if I disable SSL on the db and set 
sslmode=never
in the 
datastore_uri
.
v

vroldanbet

03/17/2023, 4:51 PM
@ecordell ☝️
s

Schadenfreude

03/17/2023, 5:01 PM
Alternatively, if there was a way in the CRD to specify a side car container for the SpiceDB cluster, I could probably just use GCP's Cloud SQL Auth proxy and talk to the DB through that via an insecure localhost connection to the proxy.
Here's the full sanitized CRD if that helps: 
apiVersion: v1
kind: Namespace
metadata:
  labels:
    kubernetes.io/metadata.name: spicedb
  name: spicedb
---
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
  name: test
  namespace: spicedb
spec:
  config:
    channel: stable
    logLevel: debug
    datastoreEngine: postgres
    datastoreTLSSecretName: spicedb-datastore-tls
    replicas: 1
  secretName: test-spicedb-config
---
apiVersion: v1
kind: Secret
metadata:
  name: test-spicedb-config
  namespace: spicedb
stringData:
  datastore_uri: "postgresql://[username]:[password]@[a.b.c.d]:5432/[dbname]?sslmode=require"
  preshared_key: "[redacted]"
---
apiVersion: v1
kind: Secret
metadata:
  name: spicedb-datastore-tls
  namespace: spicedb
type: kubernetes.io/tls
data:
  tls.crt: [redacted]
  tls.key: [redacted]
The solution is that the 
datastore_uri
must specify the path to the cert and key. With some digging around, I figured out where the datastoreTLSSecretName is mounted. The following URI succeeds: 
datastore_uri: "postgresql://[username]:[password]@[a.b.c.d]:5432/[dbname]?sslmode=require&sslcert=/spicedb-db-tls/tls.crt&sslkey=/spicedb-db-tls/tls.key"
Are these volume mount points guaranteed never to change?
e

ecordell

03/18/2023, 12:55 PM
@Schadenfreude glad you found what you needed! the mount paths are stable, though there might be alternative ways to do it in the future (i.e. you can bypass the default path with 
patches
if you want right now). I filed https://github.com/authzed/spicedb-operator/issues/170 so we don't forget to clarify this
> if there was a way in the CRD to specify a side car container for the SpiceDB cluster, I could probably just use GCP's Cloud SQL Auth proxy and talk to the DB through that via an insecure localhost connection to the proxy. In theory this is possible with the new 
patches
field (see https://github.com/authzed/spicedb-operator/releases/tag/v1.2.0 for docs), but I don't think we've seen anyone do that in the wild. If you end up figuring out how to connect through an auth proxy sidecar, we'd love to hear about it (and get it preserved in docs so others can use it)
#spicedbJoin Discord
Powered by